[ISN] Laptop lock down

From: InfoSec News (alerts@private)
Date: Tue May 08 2007 - 22:02:51 PDT


http://australianit.news.com.au/articles/0,7204,21675095%5E15385%5E%5Enbv%5E,00.html

By Chris Jenkins
The Australian
MAY 08, 2007

THE scenario is all-too familiar. A big deal signed off, a few drinks to 
celebrate. Push on for a bit, then cab it home. A good time had by all. 
But, oh dear, where's the BlackBerry?

If it's not the BlackBerry, it's the laptop. Come back to the car, the 
window's smashed and the computer is gone. And not only the laptop. Gone 
too are the contact lists, the sales plan and the intelligence on 
competitors, all worth far more than a $2000 piece of kit.

With more companies giving staff laptops or handhelds to take home, 
concern over the security of these devices, and the data that resides on 
them, is growing. Vodafone business product manager Mark Corless says 
some laptops lack even basic password protection, an oversight brought 
home very quickly when the hardware goes astray.

"That can be a stake in the heart for some customers. There's a very 
quick realisation of how important that information is," he says.

Sometimes, the consequences take on national significance.

In 2003, Australian officials were left scrambling when thieves using 
forged identities stole a laptop from the Department of Transport in 
Canberra and servers from the Australian Customs service in Sydney.

In the US last year, the personal information of more than a million 
former US servicemen and women was compromised by the theft of a laptop 
used by an employee of the US Department of Veterans Affairs.

In Australia, the theft of companies' mobile computing hardware is 
fairly common.

In last year's AusCERT Computer Crime and Security Survey, 58 per cent 
of companies surveyed reported having laptops stolen, up from 53 per 
cent in 2005.

Nine per cent of companies said handhelds had been stolen last year, up 
from 8 per cent in 2005.

Forrester ICT consulting director Andrew Milroy says the risks are 
growing in line with increased usage of mobile devices.

At the same time, hardware such as PDAs and smartphones grows ever more 
capable of storing large amounts of data.

"It's difficult to put a number on, but the risk is increasing 
substantially," Milroy says. "Not many people understand the risks they 
are taking by putting so much mission-critical information on these 
devices.

"It's a risk that people have been talking about for the past couple of 
years, but it has become a lot more real lately."

After five years of being relatively flat, business interest in mobile 
applications has tripled in 2007, Vodafone's Corless says.

Many industrial-strength applications such as enterprise resource 
planning and customer relationship management systems from the likes of 
SAP and Oracle are now commonly available in mobile form.

The risk is amplified by the fact that devices and the applications they 
run are often linked to corporations by high-speed mobile data networks.

Forrester predicts overall demand for mobile data services in Australia 
will grow at 18 to 20 per cent annually over the next five years.

In Australia at present, Milroy says, the theft of a laptop or handheld 
is more likely to be the work of an opportunist.

Fortunately, while devices are stolen regularly, it seems there has been 
little effort dedicated to exploiting the information many of them 
contain.

There is also no real evidence of deliberate industrial espionage, 
Milroy says. "I can't imagine that you would tell someone to follow a 
guy around and nick his BlackBerry."

Such actions remain a possibility, though, and awareness of the security 
required for devices used outside the office is gradually increasing, 
just as awareness of identity theft has cranked up over the past couple 
of years, Milroy says.

Nevertheless, there is still some way to go before organisations realise 
what they are up against, he says.

"It's just going to take a few years before people start taking that 
risk as seriously as they really should."

The reluctance of organisations to talk about their security 
embarrassments could be masking the true extent of the problem in 
Australia, IDC senior software analyst Patrik Bihammar suggests.

"One problem is that we don't have the same disclosure laws here in 
Australia as the US does," he says.

In California, for example, companies are required by law to notify the 
public if personal data has been compromised. As with all security 
problems, awareness is a key issue in the battle to prevent laptops and 
handhelds from handing over the keys to the castle

"Although security is a big issue, I don't think it is paramount in 
people's minds. They are just thinking about how they can do more and 
more with these devices in different locations," Milroy says.

Dealing with the security of portable devices needs to be part of the 
overall approach to IT in a company, Milroy says. "Ideally it would all 
go in line with effective backup and business continuity. It's one of 
these cultural things that it's going to take people a while to catch up 
on."

Many people don't follow basic backup procedures, such as saving to 
network drives, on their desktop PCs, so archiving data is even less 
likely to happen with mobile devices, he says.

There are also more concrete approaches. Corless says the BlackBerry is 
possibly the most secure mobile device at present.

After five unsuccessful password attempts, it will automatically wipe 
all data, he says.

Safeguards are built in to prevent the data being wiped accidentally. 
Because BlackBerries are often used as a mobile extension of the 
desktop, they tend to carry a lot of critical information.

This also means that if they are regularly synced, data-wiped or lost, 
they can easily be restored to a new handset.

The ability to use a wireless data connection to remotely wipe the data 
on a device has become a popular safeguard, with products available for 
a range of device classes.

Companies need to have policies in place before things go wrong to 
ensure that appropriate action can be taken, Corless says.

For example, it can be a problem for carriers when people ring up and 
ask to have devices either struck from the network or wiped altogether 
if the person making the request is not the owner of the device or is 
not authorised to make the request.

For some users, Vodafone creates custom access point names (APNs), which 
define a group that is allowed to access the network.

If a device is not in the group definition, it doesn't get access.

"Unless we have enabled you to communicate back to your corporate 
office, it won't happen," Coreless says.

Coca-Cola Amatil and electricity utilities are among the Vodafone 
customers employing this strategy, he says.

Some organisations restrict mobile devices to being thin clients that 
store no data locally.

That way, if they are stolen, all the thief gets is a basic operating 
system and some hardware.

But such a strategy limits the device to online-only use, meaning that 
if a network is not available, neither is the data. Using data live from 
the data centre also places greater demands on network performance, 
which can easily fluctuate while operating in a wireless environment. 
IDC's Bihammar says data on mobile devices should be encrypted as a 
matter of course.

"Laptop and device encryption and data leakage protection are not as 
common as they should be," he says.

"Data or whole-disk encryption is clearly the first step to make it 
difficult for criminals to access any data on the device," he says.

"Organisations need to have the right policies in place and the right 
technologies to enforce the polices and lock down intellectual property 
from leaking out of their organisations.

"Whether through loss of mobile devices and physical media or through 
email, instant messaging and other messaging protocols." As ever, the 
organisations most at risk of having their data compromised or stolen 
via portable devices are the ones that lack the resources to enforce 
security policies.

Small and medium businesses are considered at particular risk.

For larger companies, compliance, both with external laws and with 
internal policies, is looming as a larger issue and is forcing 
organisations to develop appropriate security policies, Milroy says.

"Organisations are being forced to be much more transparent. If you are 
public and you are being scrutinised, you want to be seen to be 
complying with certain standards, whether they're mandatory or not," he 
says.

Like the growth of internet use in organisations, the arrival of fleets 
of mobile devices is a tidal change unlikely to be held back by security 
concerns.

For that reason, security is eventually going to have to be built into 
devices, Milroy says.

"If it's not built in, you're not going to be able to sell it."


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Tue May 08 2007 - 22:12:32 PDT